Just a few days ago, the notorious Internet of Things (IoT) botnet known as Mirai (detected by Trend Micro as ELF_MIRAI family) was detected as being active in a new campaign targeting Argentina, when red flags were raised after an increase in traffic on ports 2323 and 23. It appears that the campaign has already spread further to other parts of South America and North Africa – We detected a spike of activity from Mirai in a series of attack attempts in Colombia, Ecuador, Panama, Egypt, and Tunisia, as well as more activity in Argentina.
We were able to gather data from six countries regarding this newest wave. From November 29, 2:00 UTC to November 29, 8:00 UTC, 371,640 attack attempts were detected coming from roughly 9,000 unique IP addresses. Colombia emerged as the main target for the second wave of attack attempts, with Ecuador, Argentina, Egypt, and Tunisia showing similar patterns. The exception is Panama, which experienced attacks later and showed lower numbers than the other countries. The graph below compares the frequency of attacks for the first wave (Argentina) and the second wave (Colombia and Panama):
Figures 1 and 2: Timeline and frequency of attacks for the first and second waves (All times in UTC)
As we can see from the graphs, there are distinct attack attempts. Starting November 22, around 16:00 UTC, the first wave targeting Argentina can be seen. The campaign started subsiding until it hit below 1,000 attack attempts around November 25, 1:00 UTC. The second wave of attack attempts started on November 29, 4:00 UTC. However, unlike the Argentina attacks, the second wave was much more evenly distributed, with Colombia bearing the brunt of the attempts. The attack attempts first peaked at around November 29 and slowly started to subside from there. Attacks peaked again on December 1, 8:00 to 9:00 UTC, with the highest recorded single-hour attack attempts occurring in Colombia (80,825 at 7:00 UTC).
We were also able to track the unique IP addresses of the attackers. For the first wave of attack attempts, the IPs also originated from Argentina, which means that both the target and the attacker were mostly located in the same area. A similar pattern emerged in the second wave: The attackers were similarly distributed among the five primary countries that were the main focus of the second wave, with Panama showing a lower count.
Figures 3 and 4: Unique attack attempts IP count for the first and second waves (All times in UTC)
While the numbers of attack attempts were less than the ones that hit Argentina, the attacks themselves were more extensive, with the number of attack attempts in Colombia being particularly notable. In addition to the second spike of attacks mentioned earlier, it also peaked at 56,748 in a single hour on November 29, 5:00 UTC. In contrast, the first wave of attempts peaked at 24,716 on November 22, 23:00 UTC.
As for the targets, we managed to find a variety of devices, including IP cameras, digital video recorders (DVRs), network video recorders (NVRs), as well as modems. This can be seen in the partial list of attacker credentials below, which provides all of the mentioned devices, including various brands like ZyXEL and Dahua. Here are some of the notable ones we found in Colombia:
|root||xc3511||Xiong Mai Technology IP cam, DVR, NVR|
|Wproot||cat1029||Tenvis TH692 Outdoor P2P HD Waterproof IP Camera|
As with the earlier wave, the attackers are still trying to exploit ZyXEL modems as entry points, along with other devices that were not seen in the earlier attacks targeting Argentina – in particular, the Tenvis TH692 Outdoor P2P HD Waterproof IP Camera. We checked all the collected credentials from November 1 to December 1 but never found any trace of “Wproot” (the default account of the Tenvis TH692 Outdoor P2P HD Waterproof IP Camera) before November 28. Based on our monitoring data, the first instance of “Wproot” appeared on November 29, 3:00 UTC.
So far, we are still determining the reason why these countries were attacked, and whether the two waves are connected. We will continuously monitor these attacks and provide an update accordingly.